Re: RFC: draft-brown-device-stock-ua-00.txt from Amos Jeffries on 2012-11-07 (ietf-http-wg@w3.org from October to December 2012)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 08 Nov 2012 11:50:14 +1300
To: <ietf-http-wg@w3.org>
Message-ID: <84639e8ccf4c673957e6e11043dfda3d@treenet.co.nz>

On 08.11.2012 07:17, Eitan Adler wrote:
> On 7 November 2012 13:04, Tiffany B. Brown wrote:
>> Hello all,
>>
>> I've recently submitted an RFC for a new HTTP header: 
>> Device-Stock-UA.
>> Feedback is welcome.
>>
>> http://www.ietf.org/staging/draft-brown-device-stock-ua-00.txt
>
> It isn't at all clear to me that this solves the problem:
>
> - the stock services may have been changed. just because a browser
> comes with a device by default doesn't mean it wasn't removed.
> - the capabilities of the third party browser may differ from the
> capabilities of the stock browser
> - user agent shouldn't be use for capability detection in the first 
> place
> - what does the (stock) user agent string have to do with "other
> software that may be running in addition to the user agent"?

... and why must a new header be added with identical usage, syntax and 
handling as User-Agent be created to perform User-Agent operations?

In section 4 the example does not match the BNF.

Following the format:
    Device-Stock-UA = "Device-Stock-UA" ":" (User-Agent)
    User-Agent = <Defined in RFC2616 Section 14.43>

We get:
        Device-Stock-UA: User-Agent: CERN-LineMode/2.15 libwww/2.17b3

Correcting that mistake the uselessness of creating this header becomes 
completely obvious:

{{
   Device-Stock-UA = "Device-Stock-UA" ":" 1*( product | comment )
   User-Agent      = "User-Agent"      ":" 1*( product | comment )
}}

You might as well define this as a listing of ALL software, Java class, 
active component, and hardware chip serial number installed on the 
device. Just in case some marketer or website wigit *might* want to 
know. Do you see the problem? If not have a look at IE6 UA string after 
a few hundred KB patches have been applied - utter mess useful only to 
help malicious attackers target specific missing patches.

The operating UA is already free to embed the device stock UA into its 
own UA string using the same format. If it is making use of that UA 
capabilities to generate the request that is reasonable.

I for one see zero benefit from creating this header.

Amos

Received on Wednesday, 7 November 2012 22:50:45 UTC